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Software innovation is fostering the development of a range of 
cutting-edge technologies, such as artificial intelligence (Al), that offer 
great promise to improve lives and help solve intractable problems. 
Al is already leading to improvements in healthcare, advances in 
education, more robust accessibility tools, stronger cybersecurity, 

and increased business productivity and competitiveness, impacting 


every sector. Al also has the potential to generate substantial g 

economic growth and enable governments to provide better and 

more responsive government services while addressing some of the Facilitating increased 

most pressing societal challenges." understanding and 
promoting trust in the 

At the same time, Al that is not developed, trained, and deployed responsibly does qse of Al technologies 

carry the risk of significant negative consequences that can result in an erosion of Is an mportanti 

public trust in Al. BSA therefore supports industry efforts to provide users of Al systems priority. 


with the information necessary to instill confidence that such systems were developed 
responsibly and are operating as intended. Facilitating increased understanding and 
promoting trust in the use of Al technologies is an important priority. 


We likewise support a flexible policy framework that encourages responsible Al 
practices that are critical to the successful deployment of Al products and services. 
BSA highlights the below recommendations that would help in this endeavor: 


Evidence-Based Approach. Carry out an in-depth study of how the already 
strong and effective body of EU law applies to Al, before considering new 
legislation. 


Risk-Based Framework. Build a two-tiered risk-based approach that is 
sector and use-case specific. 


Balance the Allocation of Responsibility. Ensure that responsibility for 
risks is assigned to the actor best placed to identify and mitigate potential 
harms before they arise. To that end, the controller/processor distinction in 
GDPR could be adapted to Al deployers and Al developers. 








' BSA Response & Recovery Agenda, May 27, 2020, https://www.bsa.org/policy-filings/bsa-response-recovery-agenda 











Evidence-Based Approach 








A fundamental proposition of the European Commission's Al White Paper is that the 
public should “expect the same level of safety and respect of their rights whether or 
not a product or system relies on Al.” Developed and strengthened over the years, 

the EU body of laws offers strong, technology-neutral protections that address multiple 
concerns pertaining to Al. In the context of the work of the High-Level Expert Group 
on Al (HLEG), BSA prepared a detailed analysis of EU legislation impacting Al,? which 
provides an overview of how EU law already responds to many of the challenges posed 
by new technologies. BSA recommends that the European Commission takes stock of 
this body of legislation in a targeted way, identify possible gaps and only propose new 
legislation if there is no other way to rectify them, Al-specific or not. 


Moreover, while new technologies may present new challenges, the protection and 

enforcement of Fundamental Rights in the EU remain as strong as ever. BSA and its 

members continue to work alongside EU Institutions and Member States to support a + 

strong EU body of law that provides safeguards for Fundamental Rights while fostering 

innovation. While new 
technologies 
may present new 
challenges, the 
protection and 


lt is also important to stress that Al will be developed and deployed in an international 
context, and the international standards community is beginning to address many 

of the concerns raised around Al. BSA recommends that European authorities and 
industry fully engage in these international efforts. International engagement will 


be critical for ensuring that the EU approach to Al regulation is interoperable with enforcement of 
trading partners. Furthermore, to minimize the risk of international fragmentation, Fundamental Rights 
the European Commission should consider the international regulatory landscape as in the EU remains 

it evaluates new EU legislation, and preference should be given to options that are as strong as ever. 


interoperable with similar policies in foreign markets. 





eas 


Risk-Based Framework 








Future legislative proposals should focus on high-risk scenarios where the deployment 
of Al-based technologies poses a threat to Fundamental Rights. The scope of any 
regulatory obligations should be a function of the degree of risk and the potential 
scope and severity of harm. Many Al systems pose extremely low, or even no, risk to 
individuals or society. 


To this end, BSA supports the European Commission's approach of limiting regulation 
to Al systems that are (1) deployed in a high-risk sector and (2) used in a manner that 
gives rise to significant risks. BSA cautions against classifying certain sectors as per se 
high-risk, whereby any Al tool deployed would be considered high-risk regardless of its 
purpose and use. Applying the abovementioned two-pronged approach would much 
better respond to the concerns the Commission seeks to address. It would also allow 
for a more homogeneous application and understanding of the possible requirements 
for high-risk Al, providing for the necessary proportionality and legal certainty as Al 
technologies and tools are developed and deployed. 


As part of this framework, the extent of human-in-the-loop involvement should be 
considered. In such cases, Al applications may be used to enhance human decision- 
making, and the risk consideration—even when the two above conditions are fulfilled— 
is inevitably mitigated to some extent by the human involvement and control. 





2 BSA Letter to the HLEG, June 6, 2019, https://www.bsa.org/files/policy-filings/0606201 9bsasubmissionaihleg.pdf 











The touchstone of this approach should be the risk posed by specific uses of an Al 
technology. Given the nascent nature of Al technology and sociotechnical quality of 
many of its most significant challenges, a governance-based approach to legislation, 
which identifies objectives and the processes that developers and deployers should 
follow to achieve them, would be more effective than a prescriptive one. This is 
especially true because the EU body of laws already provides for strong safeguards for 
consumers and businesses. 


Any proposed new legislative instruments should avoid one-size-fits-all mandates. 
The Al ecosystem is broad because it includes a diverse range of technologies and 

use cases, and involves a wide array of stakeholders. The risks that Al poses and the 
appropriate mechanisms for mitigating those risks are largely context-specific. The 
appropriate mechanisms and standards for training data, record keeping, transparency, 
accuracy, and human oversight will vary depending on the nature of the Al system and 
the setting in which it is being deployed. These categories do not lend themselves 
well to prescriptive and one-size-fits-all requirements. Such ex-ante requirements could 
impede efforts to address the very risks they are intended to address, add unnecessary 
costs, and require extremely complex compliance checks. 


Consistent with a governance-based approach, BSA recommends articulating a 
framework that will enable stakeholders to perform an “impact assessment” on high- 
risk Al systems, building upon the work done by the HLEG and many Al developers on 
the Assessment List for Trustworthy Artificial Intelligence. The goal of these governance 
processes should be to help developers and deployers of covered Al systems 
document the processes by which they have identified and quantified any relevant risks 


of harm to individuals or society, as well as the measures they have taken to mitigate Business-to-Business 
such risks. Importantly, impact assessments allow for a more context-specific evaluation relations are not the 
of the types of risk mitigation measures that are available, and which are best suited same as Business- 
for the particular deployment scenario. A combination of strong stakeholder to-Consumer uses, 
engagement in designing best practices for risk-assessment, and legislation that and therefore 

is built upon such system, is more likely to integrate and encourage innovation entail different 
within clear legal parameters and requirements. considerations 


and allocation of 
responsibility and risk. 








Balance the Allocation of Responsibility 


The European Commission's conclusion—that legal requirements for high-risk Al 
applications “should be addressed to the actor(s) who is (are) best placed to address 
any potential risks”—should be the guiding light in establishing how risk management 
and liabilities are allocated. In many cases—especially in the cases of general-purpose 
Al systems—developers will not be in the position to know whether the technology is 
being deployed by an end-user in a manner that meets the definition of high-risk. To 
the extent new legislation is contemplated, it should account for the unique roles and 
capabilities of the entities that may be involved in an Al system's supply chain. Any 
new regulatory obligations (and associated liabilities) should fall on the entity that 
is best positioned to both identify and efficiently mitigate the risk of harm that 
gave rise to the need for a regulation. 


Legislative updates must be flexible enough to account for the unique considerations 
that may be implicated by specific uses cases. Business-to-Business (B2B) relations 

are not the same as Business-to-Consumer (B2C) uses, and therefore entail different 
considerations and allocation of responsibility and risk. In the B2B context, entities 
should remain free to use contractual negotiations as a mechanism for allocating 
risks, liabilities, and obligations in a manner that corresponds to the nature of the 
transaction. In B2B relations, the allocation of risk and responsibility will be one part of 
the contractual agreement between two entities, and that allocation should be based on 
which party is in the best position to establish safeguards and mitigate the risk of harm. 








Existing EU legislation may serve well in helping establish which entity is “best placed 
to address any potential risk[]”. The entity that determines the purpose of the Al is 
often similar to the concept of a “controller” under the GDPR.* Applying this concept 
in the context of Al, the “Al controller” will generally be the deployer of an Al 
system (e.g., a vehicle manufacturer that integrates an Al-driven language recognition 
system into an automobile, or a bank that uses an Al tool to score consumers for 
loans), the “Al processor” will generally be the developer of the Al system (e.g., 
the entity that developed all or part of the Al-driven language recognition system as 
per the example above). 


This key distinction could also help inform different Al workstreams, focusing on 
sectors with very different definitions and approaches to risk management. Developers 
are often better placed to describe the capabilities and limitations of an Al system, 
whereas the performance of a context-specific impact assessment and disclosing 
the fact of Al use to people likely to be affected by it will typically need to be the 
responsibility of the deployer. 


Adapting the 
Under the GDPR, controllers and processors have different responsibilities for controller/processor 
achieving privacy outcomes that reflect their different roles. In particular, controllers distinction to the 
have primary responsibility for satisfying certain legal privacy and security obligations developer/deployer 


and for honoring data subject rights requests. On the other hand, processors, which 
handle data on behalf of the controller to implement the controller's objectives, 

are responsible for securing the personal data they maintain and following the 
instructions of a controller, pursuant to their agreements with relevant controllers. 
The processor/controller distinction not only provides organizations with a clear 
picture of their respective legal obligations, it also helps to ensure that data subjects 
rights are adequately protected. It is nevertheless important to stress that adapting 
the controller/processor distinction to the developer/deployer relation in Al will still 
need the necessary nuance. The context and purpose of Al tools should remain a key 
guiding principle also in this context. 


relation in Al will still 
need the necessary 
nuance. Context and 
purpose of Al tools 
should remain a key 
guiding principle. 


Beyond the developer/deployer concepts, it is equally important to note how risk 
consideration vary greatly depending on the sector. In particular, in B2B relations risk 
is often allocated on a contractual basis. Due to the complex and often diverse layers 
in a supply chain, contractual agreements are often the preferred avenue to regulate 
relations between businesses. BSA recommends including language allowing 
companies to allocate risk and responsibilities on a contractual basis in the B2B 
space. This would be beneficial both for existing B2B contracts and ultimately for 
protecting consumers from potential harm caused by the misuse of Al. 


BSA commends the European Commission's intention to maintain a strong focus on 
the governance of future Al legislation and rules, especially in the implementation 
and enforcement phase. BSA recommends ensuring that clear language for broad 
stakeholder involvement is included in future legislation, to promote a beneficial 
interaction between Al developers and deployers. As legislation is implemented 
and enforced, the European Commission should retain a coordinating competence 
for stakeholder engagement throughout the legislative process, and especially in the 
implementation and enforcement phase. 





3 Article 29 Working Party guidance on controllers and processors (WP 169) describes this party as the “determining 
body” that decides the “how” and the “why” of a processing operation. 





